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To: The United States Marshal 
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YOU ARE HEREBY COMMANDED to arrest JEFFREY LEE PARSON 
ame 
and bring him forthwith to the nearest magistrate to answer a 


_ Indictment _ Information XXX _ Complaint _ Orderof Court _ Violation Notice __ Probation 
Violation Petition 


charging him with (brief description of offense) 
Internationally Causing and Attempting to Cause Damage to a Protected Computer 


in violation of Title 18 United States Code, Section 1030 
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UNITED STATES DISTRICT COURT 
WESTERN DISTRICT OF WASHINGTON 


AT SEATTLE 
UNITED STATES OF AMERICA, MiG Eee DOCKET NO. 
Plaintiff, 03-45FH 
v. COMPLAINT FOR VIOLATION 
U.S.C. Title 18, 
JEFFREY LEE PARSON, Sections J0a0(ant (5)¢ Xe, 
1030(a at 18 RY i), 1030(b), and 
Defendant. 1030(c and Section, 2 


BEFORE Monica J. Benton, United States Magistrate Judge, 
United States Courthouse, 1010 Fifth Avenue, Tattle, Washington. 
The undersigned complainant being duly swom states: 
COUNT ONE 
(Intentionally Causing and Attempting to Cause Damage to a Protected Computer) 
Beginning on or about August 2003, and continuing until the present, within the Western 

District of Washington, and elsewhere, JEFFREY LEE PARSON knowingly caused and 
attempted to cause the transmission of a program, information, code, and command, that is, an 
Internet worm and packets of data sent in the form of a distributed denial of service attack, and as 
a result of that conduct, intentionally caused and attempted to cause damage, without ; 
authorization, to protected computers, that is, computers of Microsoft Corporation and other 
computers throughout the world that were used in interstate or foreign commerce or 
communication, causing an aggregate loss to Microsoft Corporation and other persons of at least 
$5,000 in value during a one-year period. 
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All in violation of Title 18, United States Code, Sections 1030(a)(5)(A)(), 
1030(a)(5)(B)(i), 1030(b6), and 1030(c)(4)(A), and Section 2. 

DAVID FARQUHAR, being first duly sworn on oath, deposes and says: 

1. Lam a Special Agent with the Federal Bureau of Investigation (FBI), United States 
Department of Justice, and have been so employed since February 2003. Before joining the FBI, 
I was employed in the Information Technologies field for more than five years. During that time 
I gained experience in web site design, application design and development, database 
architecture, and data security. I have worked as a Software Consultant, a Senior Database 
Administrator, and as an Assistant Vice President of Data Management. I am familiar with many 
different operating systems and web server application software, including Microsoft Windows 
and its versions, several varieties of Unix and Linux, the Apache web server, and Microsoft’s 
web server named Microsoft Internet Information Server. In addition, I have been involved in 
internal company investigations and inquiries requiring the examination and evaluation of digital 
evidence stored on various computer systems. In these investigations and inquiries I was 
typically responsible for determining: (1) what particular actions a user may have taken, (2) what 
evidence of this activity may have been created; (3) what evidence was found; and (4) what 
conclusions regarding the user's activities could be drawn from the evidence found. I am 
currently assigned to the Cyber Squad in the Seattle Division of the FBI. The Cyber Squad ts 
assigned to investigations involving, among other things, computer intrusions and Internet fraud. 

2. I make this affidavit in support of a Complaint charging JEFFREY LEE PARSON 
with Intentionally Causing and Attempting to Cause Damage to Protected Computers, and aiding 
and abetting, in violation of Title 18, United States Code, Sections 1030(a)(5)(A)(), 
1030(a)(5)(B)(i), 1030(b), and 1030(c)(4)(A), and Section 2. The information contained in this 
affidavit is based on my own participation in a joint FBI and United States Secret Service (USSS) 
investigation into the “Blaster” Internet worm and its variants, as well as information provided to 
me by other FBI and USSS Special Agents and by the victims, including Microsoft Corporation 
(Microsoft). I have set forth only the facts that I believe are necessary to establish probable cause 
for the charges. 
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3. The Internet is a globally distributed network of interconnected computers. Traffic 
is routed from computer to computer based on Intemet Protocol (IP) addresses. IP addresses 
uniquely identify computers and provide a uniform method of identifying them. Several central 
organizations manage blocks of addresses which are then leased to smaller companies that resell 
individual addresses. Because humans often have difficulty remembering long strings of 
numbers, Internet domain names (¢.¢., www.fbi.gov) exist to provide simple-to-remember 
addresses that are resolved, or matched, to the IP addresses of the intended computer. Users can 
provide a domain name, and services available on the Internet resolve the name to a number and 
provide a connection to the appropriate IP address. Domain names are registered with several 
registrant organizations that require that domain names be globally unique. To facilitate Internet 
based communications, domain name registration and IP address allocation information is 
publicly available. 

4. Two types of malicious communications can be directed toward a computer on the 
Internet, and they can be employed separately or together. The first type of malicious 
communication seeks to gain unauthorized access or control of the computer remotely. The 
second type of malicious communication seeks to disrupt the legitimate operation and usage of 
the computer. This is known as a Denial of Service (DoS) attack. A DoS attack also can be 
distributed among multiple computers, each conducting its own DoS attack against the same 
target. In this scenario, the target is inundated with requests from an overwhelming number of 
sources. The human operators of such a target computer cannot instruct the computer to ignore 
malicious sources fast enough to prevent the computer from being overwhelmed. This type of 
attack is called a Distributed Denial of Service (DDoS) attack, and it is much more common than 
a single-source DoS. A DDoS attack is capable of effectively shutting down a target computer by 
overwhelming its resources. DDoS attacks prevent an entity (.g., government agency, business, 
etc.) from conducting its online business activities, undermine public confidence in the Internet 
and the entity, and divert entity resources. 

5. An individual who gains remote contro] of a computer can use that computer to 
participate in a DDoS attack. This provides a buffer between the individual launching the attack 
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and the target. The target sees communications from the compromised computer (often referred 
to as a “drone”), not from the controlling individual. The effectiveness of the DDoS attack is 
dependent on the number of drone computers and the capacity of the target computer to handle 
communication requests. 

6, An individual who compromises other computers for later use as agents ina DDoS 
attack has options for controlling the attack. The first option is to preprogram the drone computer 
with instructions on how, where, and when to attack. A second option is to establish a line of 
communication between the individual and each drone computer. This allows remote control of 
multiple drone computers. This latter option provides the individual with the ability to adapt and 
modify the attack at any time. 

de As set forth in greater detail below, based on my training and experience, | believe 
that JEFFREY LEE PARSON is responsible for, among other things, knowingly developing and 
releasing, and aiding and abetting the development and release of, onto the Internet a variant of 
the Blaster worm that infected at least 7,000 individual Internet users’ computers, turned those 
computers into drones that attacked or attempted to attack Microsoft and, in particular, its web 
site www.windowsupdate.com. Asa result, JEFFREY LEE PARSON intentionally caused 
significant damage, without authorization, to Microsoft and other victim computers that 
significantly exceeds $5,000.00. 

8. The information in the following paragraphs was provided to me by representatives 
of Microsoft, including several software development engineers who have been assigned to work 
on the issues described herein. Sometime in early July 2003, Microsoft Corporation (Microsoft) 
was contacted confidentially by a research group known as Last Stage of Delirium (LSD). LSD 
had found a vulmerability in Microsoft's Windows family of operating system software. The 
vulnerability allows a computer to issue a command to another computer that will cause an error 
on the target computer. Following this error, the user issuing the command gains elevated access 
to the target computer. This allows the attacking computer to gain unauthorized access to the 


target computer. Microsoft developed a patch that removes the vulnerability and posted the patch 
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in Microsoft Security Bulletin MS03-026. This was made available for download from Microsoft 
on or about July 16, 2003. 

9. Shortly after the release of the patch, a Chinese group of computer experts named 
“XFocus” reverse-engineered the patch and found the vulnerability. XFocus then developed 
exploit code that can be used to exploit the vulnerability and gain remote access to target 
computers. XFocus also developed a scanning tool that searches the Internet for computers that 
have the vulnerability and that have not been patched. XFocus made their source code for the 
exploit and the scanning tool available to the public via the Internet. 

10. Onor about August 11, 2003, Microsoft became aware of an Intemet worm named 
Blaster. Blaster is based on the XFocus code and scans the Internet for targets, attacks them, and 
installs itself on the target computers. Each target computer then begins scanning and infecting 
other computers. Within three days, Blaster had infected an estimated one hundred thousand to 
two hundred thousand computers. By August 15, 2003, estimates were as high as more than one 
million infected computers. The Blaster worm included a preprogrammed payload of DDoS 
attack code. The attack code used a date and time based algorithm to launch a DDoS attack 
against Microsoft's www.windowsupdate.com domain name beginning on August 16, 2003. The 
Microsoft servers affected by this are located in the Western District of Washington. Despite 
exposure in the media and from Microsoft, hundreds of thousands, if not millions, of computers 
have not yet been patched. 

11. On or about August 14, 2003, Microsoft became aware of several variants of the 
Blaster code. One particular variant was referred to by the Internet security community by a 
number of different names including “W32/Lovesan.worm.b” (hereinafter “Lovesan B”. 
Microsoft engineers were able to obtain several copies of executable code for this vatiant. 
Microsoft engineers disassembled the code and were able to understand what this variant does. 
Lovesan B contains a variant of the Blaster worm, renamed “teekids.exe”. This variant cade is 
functionally equivalent to the Blaster code, including the code that directs compromised 


computers to attack the Microsoft domain name www.windowsupdate.com, but it contains sorne 


slightly modified message strings. In addition, Lovesan B installs a back door (a way of getting 
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into a password protected system without using the password) on the infected computer. The 


back door, known as “Lithium”, allows remote control of the system. Finally, Lovesan B 


contacts the web site www.t33kid.com. It then registers itself with a computer script residing on 
the web site by providing its IP address to the site. 
12. Microsoft was able to test Lovesan B by intentionally infecting a computer and 


witnessing it connect to the www.t33kid.com web site and provide its IP address. This was also 


witnessed by USSS Special Agent John Liau, who has served as an Electronic Crimes Special 
Agent for five years and has received extensive training on network intrusions and forensic 
computer data analysis. Based on the above information, Special Agent Lian and Microsoft 


believe that the www.t33kid.com web site was being used to compile a list of compromised 


computers. Using the Lithium back door, and the list of computers, all the infected computers 
can be remotely controlled. 

13. Subsequently, Special Agent Liau used a Domain Name Service query search on a 
publicly available database to resolve the web site (www.t33kid.com) to Internet Protocol (IP) 
Address 209.126.247.158. Special Agent Liau then researched this IP address and discovered 
that it belongs to California Regional Internet, Inc. (CARI). CARI is located at 8929A Complex 
Drive, San Diego, California 92123. This information was provided by the American Registry 
for Intemet Numbers (ARIN). 

14. A closer examination of the www.t33kid.com web site by Special Agent Liau 
revealed that the web site contained the programming source code for multiple Internet worms. 
These worms included one peer-to-peer worm that spreads via Kazaa and Imesh file sharing. 
Also on the web site were multiple links to various other web sites, such as 
www. evileyesoftware.com, www.bots.bl.am, and www:sinred.com. These web sites offer 
various back doors that can be downloaded, distributed, and used. 

15. On August 15, 2003, I contacted Steve Wallace at CARI. He advised that Keith 
Baldwin's company, SouthO, rents hardware rack space and Internet connectivity from CARI. 
Wallace confixmed that the IP address 209.126.247.158 is allocated to Keith Baldwin and is 
physically located at 8929A Complex Drive, San Diego, California 92123. 
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16. On the same day, I contacted Keith Baldwin, and he provided the following 

|| information: He provides hardware and leases computer server access to several clients. Brian 

| Davis is the client who leased the IP address 209.126.247.158. Baldwin advised that Davis leases 
web hosting services on the server to several parties. Baldwin provided the following physical 

| address for Davis: SMabe, Watauga, Texas 76148. Baldwin stated that he was not 

| surprised that there was some issue with the web site using that IP address because CARI had 

) forwarded to him complaints it had received about the web site. Specifically, Baldwin advised 

| that on August 12, 2003, he received an email from CARI indicating that someone had contacted 
| CARI to complain that bis computer had been infected with some code that was attempting to 

| contact the www.t33kid.com web site. 

17. On August 16, 2003, FBI agents secured the computer that hosted the 

| www.t33lid.com web site and obtained a search warrant for it. The forensic analysis of that 

| computer is pending. 

18. Also on August 16, 2003, Brian Davis was interviewed at his residence at, Qa 
eee, Watauga, Texas, by USSS Special Agent Derrick Day and FBI Special Agent Miguel 
| Clarke. Davis stated that he controlled the computer located at CARI in San Diego, but did not 
} have anything to do with the web site www.t33kid.com. Davis stated that www.t33kid.com was 
set-up and operated by a user on his system called “teekid”. Davis stated that he had 
communicated with “teekid” on multiple occasions over Internet Relay Chat (IRC). Davis was 
| able to provide an IP address for “teekid” of 24.94.194.76. Davis stated that he knew “teekid” 
had performed DoS attacks and had written various Internet worms. 

19. On August 18, 2003, Special Agent Day informed Special Agent Liau that Brian 

| Davis had contacted him with more supporting information about “teekid”. Davis informed 
Special Agent Day that he had been doing additional research and had discovered a web site that 
appeared to match the www.t33kid.com web site. Davis identified the newly discovered web site 
| as dl.t33kid.com. 

20. Upon receiving this information, Special Agent Liau used the ARIN public online 
database to determine the IP address to which the dl. t33kid.com name is assigned. This research 
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} revealed that J].t33kid.com is linked to the IP address 24,94.194.76, which is the same IP address 
provided by Brian Davis for “teekid”. Therefore, it appears that “teekid” is hosting the 


Liau accessed that web site and found that it does indeed match the www.3kid.com website, 
which as set forth above had been used for the collection of IP addresses of compromised 

| computers. Since dl.t33kid.com is a copy of www.t33kid.com, it also can be used to capture IP 
addresses of compromised computers. This list of computers can then be used to perform DDoS 

| or other Internet attacks. 

21. Also on August 18, 2003, Special Agent Liau used the ARIN public online 

| database on the entire 133kid.com domain name, and found that it is registered to JEFF PARSON, 
| EE, Hopkins, MN. 

| 22. On the same day, Time Warmer Cable, an Intemet Service Provider, confirmed that 


cable or digital subscriber line (DSL). In the case of cable or DSL Internet service, the IP address 
is assigned to a computer located at the account’s physical address. 

23.  Onthe same day, Special Agent Liau conducted searches on the online database 
Choicepoint for Robert Parson and JEFF PARSON at the QM. Hopkins, MN, address. 
f According to Choicepoint, Robert, Rita, and JEFF PARSON all reside at the address. JEFFREY 
LEE PARSON, who is 18 years old, also has an identification card issued to him at that address. 

24. On August 19, 2003, FBI Special Agent Michael Lawrence obtained a search 
warrant from the United States District Court for the District of Minnesota for the residence at 
| QM, Hopkins, Minnesota. FBI and USSS Special Agents executed the warrant the 
| same day. As a result of their search, the agents found and seized seven computers located in 
f several rooms in the house. The forensic analysis of these computers is pending. 
| «25, Atthe time of the search, FBI Special Agent Eric Smithmier interviewed JEFFREY 
LEE PARSON, who provided the following information: PARSON admitted modifying the 
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Blaster worm and creating the variant known by a number of different names including 
W32/Lovesan.woun.b. PARSON also admitted that he renamed the original “MSBlast.exe” 
executable “teekids.exe”, after his online name “teekid”. PARSON explained that he included 
the back door remote access software “Lithium” so that he could reconnect to the infected 
computers at a later time. In addition, in order to maintain a list of compromised computers, 
PARSON admitted that he included code that directed each of the infected computers to contact 
the www.t33kid.com website and register itself. 

26.  Thave spoken with Microsoft representatives about the losses they incurred as a 
result of the Blaster womn, and in particular the variant that JEFFREY LEE PARSON released on 
the Intemet. Microsoft expended significant interna! and external (e.g., contracted) resources to 
respond to the DDoS attack launched by JEFFREY LEE PARSON. Those resources were used 
for a number of different purposes directly related to the Blaster worm including, but not limited 
to, minimizing any damage to Microsoft, conducting damage assessments, restoring full access 
for its customers to Microsoft resources including, in particular, the patch for the Blaster worm, 
and the like. The loss to Microsoft significantly exceeds the $5,000.00 threshold set forth in Title 
18, United States Code, Section 1030(¢)(4)(A). In addition, at least 7,000 individual Intemet 
users’ computers were compromised by the variant of the Blaster worm that was released by 
JEFFREY LEE PARSON. Asa result, each of those users had to disinfect their systems resulting 
in a presently unknown, but significant aggregate loss, to them. 
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27. Based on the foregoing information, [ believe there is probable cause that 
JEFFREY LEE PARSON has committed the came of Intentionally Causing and A empting to 
Cange Damage to a Protected Computer, and aiding and abetting, in violation of Title 18, United 
I States Code, Section 1030(2)(5)(A)(i) and (B)Q), Section 1030(b), Section 1030(¢)4)(A), and 


‘ 


Section 2. 
| DAVID (d/o Complainant 


Special Agent, Federal Bureau of investigation 


Complaint and affidavit sworm to before me this AS day of August, 2003, 


MONICA §. BENTON 
United States Magistrate Judge 
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